stevekrouse
README.md

šŸ” Secret Share

End-to-end encrypted secret sharing. Zero trust required.

Send passwords, API keys, and sensitive text to anyone ā€” encrypted in your browser before it ever touches a server. The passphrase never leaves your device.

šŸ”— Try it live

Why This Is Trustworthy

Most secret-sharing tools ask you to trust that the server isn't logging your data. This one doesn't. Here's why:

Every line of source code is public. This app is built on Val Town, where the code that runs the server is the code you can read ā€” no hidden build steps, no compiled bundles, no deploy pipeline that could inject anything. What you see at stevekrouse/secret-share is exactly what runs when you use the app.

That means you can verify:

  • āœ… The passphrase is never sent to the server ā€” check client/app.tsx and shared/crypto.ts
  • āœ… The server only stores ciphertext, IV, and salt ā€” check server/db.ts
  • āœ… The API never receives or returns plaintext ā€” check main.ts
  • āœ… Encryption uses AES-256-GCM with PBKDF2 key derivation (600K iterations, SHA-256) via the Web Crypto API ā€” no homebrew crypto
  • āœ… The client-side code served to your browser is the same source file from this repo, transpiled by esm.town with no bundler in between

Even the app's author cannot read your secrets. The database contains only encrypted noise without the passphrase.

How It Works

Rendering mermaid diagram...

Security Model

LayerDetail
EncryptionAES-256-GCM (authenticated encryption)
Key DerivationPBKDF2 with SHA-256, 600,000 iterations
Salt128-bit random per secret
IV96-bit random per secret
PassphraseUser-supplied or auto-generated, never transmitted
Server storageCiphertext + IV + salt only ā€” no plaintext, no passphrase, no key material
ExpiryConfigurable: 1 hour ā†’ 30 days (default 1 week)
DeletionReceiver can destroy immediately after reading

Project Structure

secret-share/
ā”œā”€ā”€ main.ts              # Hono HTTP routes + API endpoints
ā”œā”€ā”€ server/
ā”‚   ā”œā”€ā”€ db.ts            # SQLite CRUD (stores only ciphertext)
ā”‚   ā””ā”€ā”€ render.tsx       # Server-side React rendering
ā”œā”€ā”€ client/
ā”‚   ā”œā”€ā”€ app.tsx          # React UI (create + reveal views)
ā”‚   ā””ā”€ā”€ hydrate.tsx      # Client-side hydration
ā””ā”€ā”€ shared/
    ā”œā”€ā”€ types.ts         # Shared TypeScript interfaces
    ā””ā”€ā”€ crypto.ts        # AES-256-GCM encrypt/decrypt (Web Crypto API)

Tech Stack

  • Runtime: Val Town (Deno)
  • Server: Hono
  • UI: React 18 (SSR + hydration, JSX only ā€” no HTML/CSS/JS strings)
  • Styling: Twind (Tailwind-in-JS)
  • Database: Val Town SQLite
  • Crypto: Web Crypto API (built into every modern browser and Deno)

Usage

  1. Create: Enter your secret ā†’ passphrase is auto-generated (or type your own) ā†’ click "Encrypt & Create Link"
  2. Share: Copy the link and passphrase ā€” send them via different channels (e.g. link in Slack, passphrase in a text message)
  3. Receive: Open the link ā†’ enter the passphrase ā†’ read the secret
  4. Destroy: Click "Delete This Secret Now" to remove it before expiry

šŸ“– View the full source code on Val Town ā†’